Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent renew not working in a new tab #588

Closed
GabrielGil opened this issue Mar 3, 2020 · 17 comments
Closed

Silent renew not working in a new tab #588

GabrielGil opened this issue Mar 3, 2020 · 17 comments
Labels
investigate

Comments

@GabrielGil
Copy link
Contributor

GabrielGil commented Mar 3, 2020
edited
Loading

Description
When a user is logged-in in my app and opens the same app in a new tab, oidcService returns isAuthenticated = false after hitting the timeout. Calling "login" logs in the user directly without authorization.

Logs

This happens when opening a new tab when the first tab is authorized.
image

This happens when refreshing a page which is authorized.
The only warning: init check session: authWellKnownEndpoints is undefined

image
image

I have configured the frame CSP, the silent-renew.html file is added to the assets array etc. The silent renew frame is actually loading, but the checkSession iframe is empty.

Configuration

{
  "stsServer": "http://localhost:3000",
  "redirect_url": "http://localhost/account/callback",
  "client_id": "octavo",
  "response_type": "code",
  "post_logout_redirect_uri": "http://localhost/account/bye",
  "start_checksession": true,
  "silent_renew": true,
  "silent_renew_url": "http://localhost/silent-renew.html",
  "log_console_warning_active": true,
  "log_console_debug_active": true
}

Versions

  • Angular: 9.0.1
  • oidc-client: 10.0.15
@remkoboschker
Copy link

remkoboschker commented Mar 4, 2020
edited
Loading

The new tab does bot have access to the session storage of the other tab. So you do not have access to any tokens received previously

@GabrielGil
Copy link
Contributor Author

Thank you for your answer @remkoboschker. I am aware that the session storage is unique to the opened tab. However, I would expect that the silent renew kicks in an attempt to get new tokens from the STS server, where the user is still logged in.

Could maybe one of the code owners confirm this (@damienbod)?

@k-schneider
Copy link

This was working in the previous release. It just cropped up in 10.0.15.

@GabrielGil
Copy link
Contributor Author

You are right @k-schneider. I have checked my app just downgrading to 10.0.14 and I can confirm this issue is a regression. In a new tab, the iframe for silent renew just kicks in directly so users are finely authenticated.

Let me know if any clarification is needed or I can help in any way @damienbod.

@GabrielGil GabrielGil mentioned this issue Mar 16, 2020
Closed
@koo9
Copy link

koo9 commented Mar 16, 2020

any update on this issue? will downgrade for now.

@GabrielGil
Copy link
Contributor Author

From what I can see, #599 may have something to do. But there was no release since the one I reported (10.0.15), so we will have to use 10.0.14 for now @koo9.

@damienbod
Copy link
Owner

damienbod commented Mar 20, 2020
edited
Loading

I plan to refactor this for version 11. I have 3 use cases, and not sure which is best, or if I should support all with configurtion:

  • A new tab is a new instance and so must login (login click required)
  • A user tab is a new instance and the app should automatically login (Silent renew from the beginning)
  • If I logout of tab 1 instance, should tab 2 be logged out, or not

What would you require?

@damienbod damienbod mentioned this issue Mar 20, 2020
Closed
@GabrielGil
Copy link
Contributor Author

Considering what I know about OIDC, the article about Secure authentication for SPAs by Dennis Stötzel and my personal experience, I believe the best option would be:

  1. A new tab should automatically silent renew, if possible.
  2. Logout of one of the tabs, should logout from the other tabs by using the check session. Once the STS cannot confirm the user is logged in, the tab clears the sessionStorage.

I believe this should be the default behaviour. Otherwise, it'd be possible for a user to log-in in tab1 with user A, logout from the STS, open tab2 and login with userB. Ultimately, the user will face issues on tab1 since the renew will fail at some point.

Thanks for your time. Please, let me know your thoughts and points of view too. :)

@remkoboschker
Copy link

remkoboschker commented Mar 20, 2020
edited
Loading

I am working on handling a complex registration scenario with our identity provider team. If a user is redirected back to our application after registration, they can be in a new browser instance (for instance webview on mobile after link in email). That means that they have just authenticated for the first time with the idp, but the token validation fails, because there is no local state. I think therefore that an attempt to validate a token when there is no state should trigger a login attempt (and because the idp has just set a session cookie the user need not notice it).

We use refresh tokens in stead of the hidden iframe. Would the iframe solution fix such an issue when silent renew automatically runs in a new tab?

Does this maken sense?

@GabrielGil
Copy link
Contributor Author

Refresh tokens are nowadays highly discouraged for browser apps. The iframe solution would work fine in your case, as long as you use ChromeTabs (in Android) as webview is also discouraged both for security and performance concerns.

If you follow this pattern @remkoboschker, your users log-in once (ie, in Chrome for Android), and then when tapping "login" in a native app, the idp session will be the same, so will not need to log in again. This way, no client app session is stored anywhere but in memory/session storage. I recommend you give it a look to the last link I shared here regarding secure auth in SPAs where you have more info about this.

This is already working, if you use v10.0.14, and tentatively in the future v11 which @damienbod announced today.

@remkoboschker
Copy link

What would need to happen when automatic silent renew fails? Would this trigger a login attempt and cover the first usecase mentioned by @damienbod ?

@damienbod
Copy link
Owner

damienbod commented Mar 20, 2020
edited
Loading

@remkoboschker no/ you would need to click login

@k-schneider
Copy link

I'd agree with @GabrielGil... a new tab should always try and login via silent refresh (if silent refresh is enabled) and your checksession functionality should be able to handle logging you out of all tabs when your session ends on the STS.

@damienbod what version of Angular will v11 target? Will it work with both Angular v8 and v9?

@remkoboschker
Copy link

@GabrielGil thank you, I have read the article.

@damienbod
Copy link
Owner

@k-schneider haven't decided, I would like to support 8, but also what to move to Angular 9 for the development. But it would make sense to support V8 onwards I think. I also have a lot of V8 projects still.

@damienbod damienbod mentioned this issue Mar 20, 2020
Closed
@damienbod
Copy link
Owner

This has been refactored fixed and changed in version 11 which we plan to release in the next few days after testing

Greetings Damien

@joshcomley
Copy link

joshcomley commented Mar 26, 2021
edited
Loading

@damienbod does your last update last year mean that a new tab should try and use the iframe to silently renew? I can't seem to find a sample that does this, perhaps I am missing something

Edit: to be clear, start-sample-code-flow-auto-login does auto-login on a new tab, but gets the token via redirecting the main app rather than an iframe - is this the expected behaviour?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@joshcomley @GabrielGil @remkoboschker @damienbod @koo9 @k-schneider